Saturday, 30 August 2014

[Framework] J-SOX - Designing Internal Controls

BACKGROUND
J-SOX’s main objective  is to ensure the reliability of financial reporting therefore the internal controls prescribed are only limited to financial reports with four key objectives:-
  • Effective and efficient operations
  • Compliance with law & regulations
  • Safeguarding of Assets
  • Reliability of Financial Reports
With the objectives in mind, management will design and implement company-level and process-level internal controls. 


DESIGNING INTERNAL CONTROLS
An article by Matsuda Funai highlighted  6 internal control components management is required to design and implement into the processes to achieve J-SOX’s key objectives.They are:-
1. Control Environment
2. Risk assessment and response
3. Control Acitivities
4. Information & Communication
5. Monitoring
6. Response to Information Technology


1. CONTROL ENVIRONMENT
Environment with strong controls should have the following: -
  • Board of Directors are able to receive information timely for monitoring and to express its opinion independently.
  • Integrity & Ethical Values
  • Proper accounting & reporting practices

Examples to promote strong control environment are:- 
  • Clear policies & procedures
  • Ensure information flow to decision makers (Stakeholders)
  • Clear authority & responsibility in carrying out tasks assigned.


2. RISK ASSESSMENT AND RESPONSE
Risk assessment & response requires the organization to “identify, classify, analyze, assess and respond to risks that could prevent the organization from achieving its business goals and selecting the appropriate response to deal with such risks” (Masuda Funai newsletter #2, 2008)

Organizations can implement ERM programs to deal with internal and external risks. External risks includes market competition and changes in regulatory requirements.

Internal risks are categorized into company-level risks & process level risks. Process-level risks are items affecting the organization's’ objective where else company-level risks are items such as loss of certain market and any material litigation cases.



3. CONTROL ACTIVITIES

Refers to policies and procedures in place and whether  appropriate authority is given to the staffs and according to the company’s risk appetite. It covers segregation and divide of duties as well in operational processes. 


4. INFORMATION & COMMUNICATION
“The information and communication component involves ensuring that necessary information is identified, understood, processed, and accurately communicated to all relevant parties in a timely and appropriate manner." (Matsuda Funai Newsletter #3 2008)

It involves the flow and availability of information to multiple directions such as shareholders, regulatory authorities, senior managements and staffs for decision making.


5. MONITORING
“The Standards define Monitoring as an ongoing process that continuously assesses the effectiveness of the company’s internal controls." (Matsuda Funai Newsletter #4 2008)

Independent evaluations on the design and operations of the internal controls will be conducted by the audit committee or external resources.



6. RESPONSE TO INFORMATION TECHNOLOGY
“The Standards note that Response to IT is not intended to force organizations to introduce or upgrade existing systems.” (Matsuda Funai Newsletter #4 2008)
Source: -www.masudafunai.com

But rather a way to emphasize importance of IT and to incorporate all the necessary IT requirements and opportunities into process and procedures for example promoting the transfer of payments electronically & paperless processes.